” Excellent post Simon and you highlight some of the major security concerns that C levels have when it comes to cloud computing. Another concern should also be the importance of your cloud provider’s reputation. Potential cloud customers need to ask: Who is really managing my company’s sensitive information? What are their internal security practices? How well do they handle incident response? How reliable is the infrastructure that provides the service? Are they prone to service outages? How can my service provider recover my cloud stuff? All of those are very valid questions and concerns that lurk in the minds of potential cloud adopters. Let’s put some of those concerns to rest!” Paul Richards

Thanks for that response Paul, you have highlighted some great points that customers should ask potential providers at both a technical and operational level. Customers should also question:

The provider’s financial stability. Will they be able to keep systems up and running? What is their pedigree in providing such system availability over time? (Not just in the last twelve months!)

The SLA’s (Service Level Agreements) they provide.

The providers approach to recovery. Will they recover the system on failure or disaster? In what time? To what extent? Business continuity and recovery should always be a ‘must have’ rather than an after thought.

Your points also interlink well with my response to Baggy on data portability. As stated there; it’s critical to know who is managing your data, how secure it is and how easy it is to port. These are all critical questions to ask when selecting a cloud services provider.

As promised a while back, I wanted to discuss some of the points made by Baggy on one of my recent posts (see more detail here).

“I was very interested by the first few paragraphs regarding portability. I have come across a large multinational who have been severely restricted by their current hosting and managed service provider to allow their business continuity company to port/replicate and even vault their data off their production site. The reason given by their hosting provider for the restriction …?…”you are utilising a shared disk model and we cannot RISK the chance your third party may interfere with other clients using the same platform”. Sounds unbelievable I know but absolutely true!” Baggy

I have to say I am slightly concerned on a number of points here. To start with if the company has signed a contract that prevents it from signing an alternative contract to port/replicate/backup their production data for business continuity, surely that’s anti-competitive!

Secondly, it’s the customer’s data and they have the right to mitigate risk across two providers. The reason given to the customer by their hosting provider around “utilising shared disk” and the possibility of “third party interference with other clients”, suggests to me that the overall security of the platform is definitely questionable.

There is a possibility that the hosting provider’s technology may not allow data portability at a hardware level, but at a software level it should definitely be possible. Of course, it would dependant upon the amount of data the customer wants to port/replicate/backup as the network could restrict the desired RPO (recovery point objective) and the RTO (Recovery Time Objective).

If I were the customer I would challenge the supplier further – after all who owns the data? The provider may own the infrastructure but should support the customer, especially when the customer is simply looking to increase their overall resilience.

If I were looking to outsource any of my compute and data needs I always start by asking what the suppliers approach to data portability is.

I believe a future opportunity will arise for Cloud Computing service providers to partner – as long as they use a similar technology. This could create a multi-vendor, cross-vendor cloud platform. So, where as today you have many vendors working independently, providers could begin to work in parallel; integrating data to create a portability process that will enable true data portability whilst minimising risk.

“With hundreds of terabytes in the cloud — you are no longer portable and you’re not going to be portable, so get over it,”*

This thought grabbed my attention… the idea that when you store a lot of data within a ‘cloud’, I mean terabytes… that you’re then stuck in that cloud and can not migrate, port or replicate to a another cloud provider (regardless of whether they provide private or public clouds), you can’t even revert to your own private cloud! In some ways I concur with this – if you’re running within a cloud you’re just buying virtual machines and the storage presentation to the virtual machine is so intertwined that it’s hard to unravel…

So this is where I think a private cloud offering gives you the assurance that you’re still able to migrate, port or replicate from your own data centre into the cloud and vice versa back out of the cloud. The technology itself is very important, your provider needs to pick the right mix of technology so that you always have the option to migrate or move away from that specific provider if you decide to move your data elsewhere…

Anyway back to the data… so lets take an example of how you can migrate in and migrate out utilising migration technology through replication… if the ‘store’ service in a private cloud platform utilises multi-vendor virtualisation technology it can support a larger quantity of vendors arrays. This means multiple arrays from multiple vendors can be supported through a multi protocol fabric.

An example of how this could work for a customer migrating to the cloud would be the following… btw this is in the roadmap for 2010 (POC has already been completed with some great results!!)

It’s possible to deploy ‘virtualisation appliances’ into a customer’s data centre, enabling the customer to have a virtual storage platform and giving them a ‘single view’ of their storage. The customer will have to accept some change(s) but will not have to make their current IT investment redundant thus prolonging the life of their current storage assets – providing ROI and TCO in a single proposition for their management! Once virtualised, it’s possible to replicate the data into a storage cloud. (This is already up and running in our cloud today!)

This strategy provides a stepped approach for migration to cloud services, the first step is ‘cloud recovery’, then you begin to migrate production services as and when the business has seen the benefits and trusts the ‘cloud’ to run it’s mission critical applications!

So already you can see some benefits – when you want to move out of the cloud you reverse the process… see cloud can be portable!